Defect in car security system aids carjackers, thieves

Since 2016, there have been multiple instances of attacks on keyless entry car-locks, and there's a burgeoning industry of expensive ($5000) aftermarket alarm systems that are billed as protecting your car from these radio attacks on its security.

Pen-Test Partners evaluated several of these systems and found that the two leading models, Pandora and Viper (AKA "Clifford") were very defective, with a mix of vulnerabilities that allow attackers to track cars in realtime, extract the car and its owner's details, disable the alarm, remotely enable/disable the immobilizer, stop the car while it's in motion, eavesdrop on the in-car mic, and even steal the car.

Pen-Test Partners attacked the companies' APIs, which allow their apps to communicate with and configure the in-car systems; by modifying the parameters in API calls, they were able to hijack users' accounts, changing the associated email and password. Once that is done, "It's possible to geo-locate and follow a specific vehicle, then cause it to stop and unlock the doors."

There's plenty of room for research on even more extravagant attacks: the alarm systems interface with cars internet networks over the CAN bus — a common data infrastructure system that all the car's subsystems use to talk to each other.

Pen-Test Partners estimates that $150B worth of cars are exposed via these flaws — about 3M high-end cars.

This is a superb example of how security systems can expose users to risk: once you design a system that treats the person using it as an adversary and a remote party as trusted, then, by design, a remote party who compromises the system can attack the person who's using it. What's more, the entire system is designed to prevent the person in the car from overriding the remote party using the app, so once that initial line of defense is breached, it becomes very hard to protect yourself.

We contacted the vendors involved and gave them 7 days to take down or fix the vulnerable APIs. This is much less than the 90 days we would usually offer vendors. Why?

The vulnerabilities were easy to find, easy to fix and owners could operate the alarms without requiring the API. The supplied RF alarm key fob can be used in place of the mobile app. All the user would lose as a result of the API being taken down is the ability to remotely start the car and geo-locate it.

Others have been looking at smart car alarms, so there was a high chance that professional criminals already have this knowledge.

There is a route for vehicle owners with these alarms fitted to mitigate these attacks themselves, but it isn't particularly satisfactory or advised: One could extract the SIM card from the alarm module in the car, though this may require some electronics skill and may affect warranties.

Pandora's UK representative responded in about 48 hours and had their Moscow-based HQ take action quickly. The IDOR was fixed overnight and we confirmed that the following morning

Viper responded faster, but took a little longer to fix the vulnerability. That one is also confirmed as fixed.

Gone in six seconds? Exploiting car alarms
[Ken Munro/Pen Test Partners]

(via Naked Capitalism)